CVE-2026-54413
Possible ATT&CK Techniques 2AI
T1203 · Exploitation for Client Execution T1068 · Exploitation for Privilege EscalationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| driftregion | iso14229 | ≤ 0.9.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-54413
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
整数下溢(超界折返)
Source: NVD (National Vulnerability Database)
Vulnerability Title
driftregion iso14229 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
driftregion iso14229是driftregion个人开发者的一个工业控制协议定义软件。 driftregion iso14229 0.9.0及之前版本存在缓冲区错误漏洞,该漏洞源于Handle_0x27_SecurityAccess()函数中存在整数下溢和越界读取,可能导致远程未经身份验证的攻击者通过发送单字节0x27 SecurityAccess请求,使UDS服务器崩溃并可能读取接收缓冲区之外的内存。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| driftregion | iso14229 | 0 ~ 0.9.0 | - |
II. Public POCs for CVE-2026-54413
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-54413
请登录查看更多情报信息。
News Coverage for CVE-2026-54413 (1)
- 🔗 CWE - CWE-191: Integer Underflow (Wrap or Wraparound) (4.20) Read full article technical-description
Other References for CVE-2026-54413 (1)
IV. Related Vulnerabilities
Same weakness: CWE-191
- CVE-2026-11850
Krb5: krb5: integer underflow in berval2tl_data() leads to h - CVE-2026-42542
TDengine has an integer underflow in uvConnMayGetUserInfo() - CVE-2026-42981
Windows Performance Monitor Remote Code Execution Vulnerabil - CVE-2026-42980
NT OS Kernel Elevation of Privilege Vulnerability - CVE-2026-45463
Microsoft Office Remote Code Execution Vulnerability
V. Comments for CVE-2026-54413
No comments yet